Neowin Forums > MS04-017: Crystal Reports Web Viewer

Full Version: MS04-017: Crystal Reports Web Viewer

Neowin Forums > Member Submitted News > Back Page News

Steven

Jun 8 2004, 17:59

Microsoft Security Bulletin MS04-017
Vulnerability in Crystal Reports Web Viewer Could Allow Information Disclosure and Denial of Service (842689)

Issued: June 8, 2004
Version: 1.0
Summary

Who should read this document: Customers who use Microsoft® Visual Studio .NET 2003, who use Microsoft Office Outlook 2003 with Business Contact Manager, or who use Microsoft Business Solutions Customer Relationship Management (CRM) 1.2

Impact of Vulnerability: Information Disclosure and Denial of Service

Maximum Severity Rating: Moderate

Recommendation: Customers should consider applying the security update.

Security Update Replacement: None

Caveats:
•Customers who use both Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, and who have Internet Information Services installed should install the update for both products.
•The update for the component in Microsoft Business Solutions CRM 1.2 is available on the Business Objects Web site.

Tested Software and Security Update Download Locations:

Affected Software:
•Visual Studio .NET 2003 – Download the update
•Outlook 2003 with Business Contact Manager – Download the update
•Microsoft Business Solutions CRM 1.2 – Download the update from the Business Objects Web site

Non-Affected Software:
•All other supported versions of Visual Studio, Outlook, and Microsoft Business Solutions CRM.

Note Outlook 2003 with Business Contact Manager is an add-on to Outlook 2003 that is available on a separate CD, together with Microsoft Office Small Business Edition 2003 and Microsoft Office Professional Edition 2003.

The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.
Top of sectionTop of section

Executive Summary:

This update resolves a newly-discovered vulnerability in Crystal Reports and Crystal Enterprise from Business Objects. Microsoft Visual Studio .NET 2003 (all versions) and Outlook 2003 with Business Contact Manager redistribute Crystal Reports and are therefore affected by the vulnerability. Microsoft Business Solutions CRM 1.2 redistributes Crystal Enterprise, which is affected in the same way. The vulnerability is documented in the Vulnerability Details section of this bulletin.

An attacker who successfully exploited the vulnerability could retrieve and delete files through the Crystal Reports and Crystal Enterprise Web viewers on an affected system. The number of files of files that are impacted by this vulnerability would depend on the security context of the affected component that is used by the Crystal Web viewer.

Note Systems can only be vulnerable if they have Internet Information Services (IIS) installed.

Microsoft recommends that customers consider applying the security update.

http://www.microsoft.com/technet/security/...n/MS04-017.mspx

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.